A modular reconnaissance framework for bug bounty hunters and penetration testers. Built for efficiency, organization, and scalability.
"Your bugs are only as good as your recon."
ScopeHunter is designed around how professional bug bounty hunters actually work:
- One workspace per program β Not per domain. Programs have multiple root domains.
- Scope-first β Never accidentally test out-of-scope assets.
- Incremental discovery β Add new root domains anytime, recon only what's new.
- Merged attack surface β See your complete target landscape in one place.
| Feature | Description |
|---|---|
| Preflight Check | Validates your entire environment before running |
| Scope Enforcement | Won't execute against out-of-scope domains |
| Modular Phases | Run all phases or just the one you need |
| Multi-Root Support | One program, unlimited root domains |
| Auto-Merge | Combines all results into unified attack surface |
| Dry Run Mode | Preview commands without executing |
| Clean Output | Organized, deduplicated, ready for testing |
ScopeHunter/
βββ recon-preflight.sh # Environment validator
βββ recon-init.sh # Workspace initializer
βββ recon-run.sh # Recon execution engine
βββ README.md
βββ LICENSE
βββ .gitignore
git clone https://github.com/keusuanl-sec/ScopeHunter.git
cd ScopeHunter
chmod +x *.sh./recon-preflight.sh --fixThis checks for required tools and downloads missing wordlists/resolvers.
./recon-init.sh hackerone-acme --tag "hackerone"
echo "target.com" >> ~/recon/hackerone-acme/scope.in.txt
echo "target.com" >> ~/recon/hackerone-acme/roots/known-roots.txt./recon-run.sh hackerone-acme --root target.com
tree ~/recon/hackerone-acme/recon/
cat ~/recon/hackerone-acme/recon/target.com/httpx-output.txt
./recon-init.sh <program-name> [--tag "platform-tag"]
# Examples
./recon-init.sh bugcrowd-tesla --tag "bugcrowd"
./recon-init.sh htb-machine --tag "hackthebox"
./recon-init.sh personal-research# Single root domain
./recon-run.sh <program> --root <domain>
# All known roots
./recon-run.sh <program> --all
# Specific phase only
./recon-run.sh <program> --root <domain> --phase passive
# Merge all results
./recon-run.sh <program> --merge
# Preview without running
./recon-run.sh <program> --root <domain> --dry-run| Phase | Description |
|---|---|
passive |
Subfinder passive enumeration |
resolve |
DNS resolution (filter dead domains) |
active |
Brute-force + permutation discovery |
probe |
HTTP probing with httpx |
ports |
Port scanning with nmap |
all |
Run all phases (default) |
When you initialize a program, ScopeHunter creates:
~/recon/<program-name>/
βββ config.env # Workspace configuration
βββ scope.in.txt # In-scope root domains
βββ scope.out.txt # Out-of-scope exclusions
βββ NOTES.md # Your findings and observations
βββ roots/
β βββ known-roots.txt # All discovered root domains
β βββ pending-roots.txt # Roots to process later
β βββ discovery-log.md # How/when you found each root
βββ recon/ # Per-root recon outputs
β βββ <domain>/
β βββ passive-subs.txt
β βββ resolved.txt
β βββ all-subs.txt
β βββ httpx-output.txt
β βββ live-hosts.txt
βββ merged/ # Combined attack surface
β βββ all-subs.txt
β βββ all-live.txt
β βββ all-httpx.txt
βββ reports/ # Curated findings
| Tool | Purpose |
|---|---|
subfinder |
Passive subdomain enumeration |
puredns |
DNS resolution + brute-forcing |
alterx |
Subdomain permutation generation |
httpx |
HTTP probing + tech detection |
anew |
Deduplication utility |
massdns |
Fast DNS resolution backend |
nmap |
Port scanning |
jq |
JSON parsing |
| File | Purpose |
|---|---|
resolvers.txt |
Public DNS servers for puredns |
subdomains-5k.txt |
Quick brute-force wordlist |
subdomains-100k.txt |
Thorough brute-force wordlist |
All files are automatically downloaded by recon-preflight.sh --fix.
# Day 1: Start a new program
./recon-init.sh hackerone-acme
echo "acme.com" >> ~/recon/hackerone-acme/scope.in.txt
echo "acme.com" >> ~/recon/hackerone-acme/roots/known-roots.txt
./recon-run.sh hackerone-acme --root acme.com
# Day 3: Discover acquired company via Crunchbase
echo "acquired-startup.io" >> ~/recon/hackerone-acme/scope.in.txt
echo "acquired-startup.io" >> ~/recon/hackerone-acme/roots/known-roots.txt
./recon-run.sh hackerone-acme --root acquired-startup.io
# Day 5: Find another domain via reverse WHOIS
echo "acme-internal.net" >> ~/recon/hackerone-acme/scope.in.txt
echo "acme-internal.net" >> ~/recon/hackerone-acme/roots/known-roots.txt
./recon-run.sh hackerone-acme --root acme-internal.net
# Merge everything for complete attack surface
./recon-run.sh hackerone-acme --merge
# View unified results
cat ~/recon/hackerone-acme/merged/all-live.txtEdit config.env in your workspace to customize:
# Tool settings
THREADS=50
HTTPX_RATE=150
PUREDNS_RATE=500
# Workflow options
SKIP_BRUTEFORCE=0 # Set to 1 to skip
SKIP_PERMUTATIONS=0 # Set to 1 to skip
SKIP_PORTSCAN=0 # Set to 1 to skip
WORDLIST_SIZE="small" # "small" or "medium"
# Safety
DRY_RUN=0 # Set to 1 to preview onlyScopeHunter enforces scope at every step:
- Before execution β Validates domain is in
scope.in.txt - During merge β Filters results against
scope.out.txt - Won't run β If domain isn't explicitly in scope
This protects you from accidentally testing out-of-scope assets.
Contributions are welcome! Feel free to:
- Report bugs
- Suggest features
- Submit pull requests
This project is licensed under the MIT License - see the LICENSE file for details.
keusuanl-sec (@keusuanl-sec)
- Built with assistance from Claude AI by Anthropic
- Inspired by the wiz Bugbounty-Masterclass Course, Hackthebox, bug bounty community and hunters sharing their methodologies
- Tools by ProjectDiscovery, tomnomnom, and others
This tool is intended for authorized security testing only. Always ensure you have written permission before testing any target. The author is not responsible for misuse of this tool.
Happy Hunting! π―